Could it withstand 100,000,000,000,000 guesses, the kind of scrutiny it might face if it were stolen in a data breach and attacked offline on specialist hardware?

Too hard? How about 1,000,000 guesses? That’s the sort of resilience a password needs in order to fend off a much slower online attack against a website’s login page.

Still too hard? What about 100 guesses? That’s the number of failed attempts that the very latest NIST (National Institute for Standards and Technology) guidelines suggest should trigger a lock-out:

Unless otherwise specified in the description of a given authenticator, the verifier SHALL effectively limit online attackers to 100 consecutive failed attempts on a single account in any 30 day period.

100 guesses is nothing. We can all make a password that withstands 100 attempts, right?

Maybe not.

According to recent research out of China and the UK, an attacker with a little of your PII (Personally Identifiable Information) has a one in five chance of guessing your password before they hit NIST’s 100-guess shutout.

The researchers from China’s Fujian Normal and Peking Universities, and the UK’s Lancaster University, have developed TarGuess, a framework that intelligently targets individual users based on personal information that an attacker might reasonably have access to.

TarGuess-I uses PII such as your name and birthday. According to the researchers it can:

…achieve about 20% success rates against normal users with just 100 guesses, 25% with 103 guesses, and 50% with 106 guesses. This suggests that the majority of normal users’ passwords are prone to a small number of targeted online guesses (eg 100 as allowed by NIST)

If you’re one of the hundreds of millions of people whose details have been stolen in attacks on Adobe, Yahoo, LinkedIn and others, then your publicly available PII could include another of your passwords, a so-called “sister password”.

Those “sister passwords” can give clues about how you create passwords – add them to TarGuess and the chances of beating the NIST shutout are even higher:

TarGuess-III and IV [which use sister passwords] can gain success rates as high as 73% with just 100 guesses against normal users and 32% against security-savvy users

A widening chasm?

A few years ago Microsoft Research conducted a detailed study into real-world password protection (you can read all about it in my article Do we really need strong passwords?) and highlighted what they called the online-offline chasm.

The chasm is the difference between how many guesses your password needs to withstand to deal with an online attack (about 1 million guesses) and how strong it needs to be to deal with an offline attack (about 100 trillion guesses).

Online attacks occur when someone attempts to log in to a website by guessing the password (they wouldn’t type the password themselves of course, they’d use software that types far, far faster and doesn’t get bored).

Offline attacks occur when someone steals, buys or otherwise finds themselves in possession of a website’s password database and can crack them directly using specialist software and hardware.

The researchers concluded that there was little to be gained by making passwords that sit in the vast ‘chasm’ between the two thresholds; if your password is good enough to withstand 1 million guesses it won’t get substantially better until it can withstand 100 trillion.

The paper was part of a broader change in thinking about passwords (of which the latest NIST guidelines are also a good example) that’s attempting to shift the burden of password security away from users and back onto system owners and administrators.

In effect the authors were telling system administrators to take the strain; you worry about the offline attacks they said, and leave users the simple job of making passwords that can handle 1 million guesses – just six characters chosen at random should be enough.

TarGuess and its developers show us that even that might be too much to ask:

…normal users’ passwords are even not strong enough to resist online guessing and still far away from the “online-offline chasm”

Many of us remain wedded to our truly terrible passwords.

The researchers used password databases from nine massive breaches including CSDN, Yahoo and RockYou most of which occurred within the last six years.

In seven of the nine databases 123456 was the most popular password, and none of the top 10 passwords in any of the breaches would surprise readers of the annual most popular password lists published by SplashData.

The bottom line

Don’t allow users to use 123456, password, or any other known bad passwords, and use a reputable password strength meter to ensure they can’t pick other passwords that might be easy to crack.

Use rate limiting and lock-outs to bolster poor passwords and use two-factor authentication so that when a password is cracked it’s not enough by itself to give an attacker access.

If you’re a website user arm yourself with a password manager. It’ll do the job of creating and remembering passwords for you which means you can create as many incredibly strong passwords as you need.

Of your course you’ll need to create and remember at least one really strong password to protect the password manager itself. For that we suggest you watch our video on how to pick a proper password:

Post navigation

About the author

Mark is the man who keeps the Naked Security site running. He is also a writer for Sophos, is the founder of independent web consultancy Compound Eye and he's interested in literally anything that makes websites better.

The problem with locking account on successive failed password attempts is it makes denial of service super easy. If an attacker wants to prevent you from getting into your accounts, all he has to do is guess “password” 1001 times, and you’re locked out for 30 days under the NIST guidelines. Or until you call customer service to get things reset, in which case he’ll just do it again. Meanwhile, another attacker who has penetrated the system and gotten your password hash isn’t affected by this limit at all.

I read the NIST guidelines differently – they limit you to 100 consecutive failed guesses in a 30 day period. You might achieve that by adding ever-growing delays to failed login attempts e.g. you have to wait 2 seconds after the first fail, then 4 then 8, 16, 32, 64, 128 etc.

And yes, denial of service might be a problem but I’d expect this sort of hacking (targeted password attacks) to be done by criminals who’ve made a cost/benefit analysis and determined that the prize is worth the effort. It seems to me that whilst the effort of doing a denial of service is low, probably far lower than a targeted password attack, but there’s no pay day, unless perhaps you hold access to ransom.

Instead of adding ever-growing delays to failed login attempts (which still constitutes a Denial of Service attack, at least one that degrades access), it’d be better to do something like throwing up a CAPTCHA at some point (after N failures) to reduce the ability to automate the login attempts, and perhaps combine that with throttling of attempts from IP addresses that generate failed login attempts.

With IPv6 having almost limitless IP addresses, one might want to downgrade to IPv4 access for the login form/system after sensing an “attack”.

We continue to be hobbled by websites with bad password rules. A major American retailer’s website recently told me to keep my password very short when resetting it. Very short as in under 15 characters. That’s absurd in today’s world.

My password manager is great. It’s to the point where I don’t even know my own password for about half of the usernames I use. They are in the password vault. My master vault password is more than 16 characters but less than 20. (Less than 20, so that it’s not too terribly painful to unlock the vault over and over again.) I have estimated that if a hacker were to take shortcuts, it would still take approximately 92 quadrillion guesses. Even if intelligent algorithms cut that number by 95%, it would still be comfortably above the first number mentioned in the article, 100 trillion guesses. Password length is king. It just takes a little while to get used to using words that have nothing to do with you as a baseline.

Many of my online passwords have now been auto-generated to a 20-character-long random string with punctuation characters. Curse websites that force passwords less than 16 or 20 characters.

So, yes, I can see password denial-of-service becoming an issue. A smart programmer will get ahead of the issue by implementing repeat-ignoring and rate-limit-ignoring algorithms, so that if passwords are entered too rapidly, or are repeated more than a few times in a row, they should be simply dropped and not added to the retry count. On one hand, this will merely delay a dedicated denial-of-service attack. On the other hand, it can still defeat poorly-programmed attacks.

Mark, I don’t think that “reputable password strength meter” link is the one you meant to share.
It leads to Duck’s article entitled “CCTV that lets the crooks watch you, not the other way around…”, not one of the two that I can recall about password strength meters.

Not only do you need to remember your password manager password but also your OS log in password too 🙂 but that’s only 2 – this still holds true if yu can access your passwords on your mobile device as even if you store your OS password you hopefully still need a password or PIN code to get into your phone unless you use a bio-metric of course then it becomes only 1 to remember.

Seems the easiest way to thwart the attack yet keep the helpdesk workout low is to allow 3 consecutive wrong guesses then deactivate the account for 10 minutes. This reduces the effectiveness of a denial of service. Hopefully one will not allow a weak password, and require at least two characters of each of the 4 character sets (ie 2 numbers, 2 lower case, 2 upper case, and 2 special characters, and require a password of at least 10 characters. Password security should be up front, not an afterthought. Log each of the failures as well as source IP. An automated attack can readily detected and source IP blocked for an hour using scripts to the firewall for a time This will not stop a botnet immediately but it will slow it down. Ensuring users use a highly complex password at user creation goes far.